Think your password is secure? Think again

“Offline password guessers have gotten both fast and smart. AccessData sells Password Recovery Toolkit, or PRTK. Depending on the software it’s attacking, PRTK can test up to hundreds of thousands of passwords per second, and it tests more common passwords sooner than obscure ones.”

Well, there goes my assumption that my simple eight-character password will suffice. And don’t think that using a crypto program like my beloved PGP is going to help:

“The results are all over the map. Microsoft Office, for example, has a simple password-to-key conversion, so PRTK can test 350,000 Microsoft Word passwords per second on a 3-GHz Pentium 4, which is a reasonably current benchmark computer. WinZip used to be even worse — well over a million guesses per second for version 7.0 — but with version 9.0, the cryptosystem’s ramp-up function has been substantially increased: PRTK can only test 900 passwords per second. PGP also makes things deliberately hard for programs like PRTK, also only allowing about 900 guesses per second.”

Equally illuminating are some of the comments, and the replies by Bruce, to wit:

“Of course longer is better. If you have a 32-character password, no software cracker is going to find it.”

“A useful class of memorable passwords that are difficult to cast as a PRTK-style stereotype is equations.

For the physically or mathematically-minded, they can be very easy to remember. They also make it easy to involve symbols (memorably). And since the notation for terms can have a very broad variation, they are probably not easy to search efficiently. And, there are a lot of them, many of which are quite obscure.

An example from classical mechanics: Hamiltonian evolution with Poisson Bracket notation might yield a password like

dy/dt={H,y}

Considering the possible variations (ydot instead of dy/dt, Heisenberg evolution with commutators, replace y by a Greek letter like Psi, subtract the RHS from both sides, many more) it seems like a losing game to try to create a stereotype search for these. And in this case, obscurity does aid security.”

“Interestingly, it sounds to me like a combination of two (reasonably long) dictionary words with a small non-alpha infix would survive this attacker fairly well.”

“Seems like a shift in the root is all you need to be less predictable. The progression I often have experienced in terms of user password maturity:1) simple root (password)2) simple root with appendages (password123)3) root with character-shift and appendages (p@ssW0rd123!)4) phrase with character-shift and appendages (e.g. I wish I had a dollar for every star = iW1h@$4e*)5) random digits generated by a program and stored securely with a level 4 password”

I wonder how well something like PRTK would be in recovering the formula used to generate the password if it had multiple passwords to compare.”

“@Simon: “how does Password Safe help?”

It helps in two ways: First, it allows you to choose different passwords for different services. Not many among us can remember 40 distinct passwords; we either have to write them down or re-use the same passwords over and over again, which becomes a nightmare with the different password choice and lifetime policies out there.

Second, it allows you to generate random passwords. Myself, I use different, random 12 character passwords for each service. In cases where I don’t care about identity, I even use a randomly generated user name.

“When away from my computer I’d not know the passwords.”

There’s not many services that I want to use when I’m away from my computer, so it’s not much of an issue for me.

Password Safe and its clones can also be installed on a USB stick, along with the password database. Although I would somewhat hesitate to trust a public computer.”

@SquydThat just sounds like a LOT of work. Why bother? Use a password manager with a password generator built in. Done.

Me, I use Password Master myself (from the excellent team at Dreameesoft) so I can use it on my pda, but they are all much of a much-ness.

I’m now going through all of my different passworded accounts and randomising them with Password Master rather than relying on my old 8-character password which is the same one I use on multiple sites (very dangerous and stupid, I know, but I’m lazy!)

Hi, glad to hear you’ve decided to change to lots of unique, long passwords. You’ll surely sleep better at night.

On being lazy – i can completely understand. Does Password master have an automatic login feature? That really helps.

Cheers,
Tara

https://www.passpack.com Tara Kelly (PassPack)

Hi, glad to hear you’ve decided to change to lots of unique, long passwords. You’ll surely sleep better at night.

On being lazy – i can completely understand. Does Password master have an automatic login feature? That really helps.

Cheers,
Tara

http://leehopkins.net/ Lee Hopkins

G’day Tara!

All of the various password softwares have one problem – cross-platform.

For instance, my tool of choice (because of my pda) is Password Master. But it won’t work on a U3 drive.

Something that works on a U3 drive won’t work on my pc AND my windows mobile pda.

And so it goes on…

Password Master is no different (better or worse) than any of the others, but it does have one bad habit: it DOMINATES my cpu. If it’s running, even in the background, I can forget about doing some resource-intensive stuff like creating sound files or working with Illustrator or Photoshop.

One day there will be a tool that will work across all platforms… [sigh]

http://leehopkins.net Lee Hopkins

G’day Tara!

All of the various password softwares have one problem – cross-platform.

For instance, my tool of choice (because of my pda) is Password Master. But it won’t work on a U3 drive.

Something that works on a U3 drive won’t work on my pc AND my windows mobile pda.

And so it goes on…

Password Master is no different (better or worse) than any of the others, but it does have one bad habit: it DOMINATES my cpu. If it’s running, even in the background, I can forget about doing some resource-intensive stuff like creating sound files or working with Illustrator or Photoshop.

One day there will be a tool that will work across all platforms… [sigh]

http://leehopkins.net/ Lee Hopkins

As for the automatic login feature — no. I know that some of the programs for the U3 drive do, but they don’t work on my pda…

It’s a real bugger!

http://leehopkins.net Lee Hopkins

As for the automatic login feature — no. I know that some of the programs for the U3 drive do, but they don’t work on my pda…

It’s a real bugger!

https://www.passpack.com/ Tara Kelly (PassPack)

I was going to suggest trying PassPack for the cross-platform problem (I’m a founder). It’s an online service, so all you need is an internet connection and you can access your stuff from any computer.

Alas, we don’t have a version optimized for mobile screens quite yet. So it wouldn’t solve your PDA compatibility problem.

Lost of people choke on the idea of storing passwords online. But actually, your data is encrypted on-the-fly before leaving your browser – so once your passwords reach our server, they are fully encrypted and can’t be read by anyone (not PassPack, not hackers, not spying governments).

If you do give it a go, let me know what you think – I’m always open to feedback.

Cheers,
Tara

https://www.passpack.com Tara Kelly (PassPack)

I was going to suggest trying PassPack for the cross-platform problem (I’m a founder). It’s an online service, so all you need is an internet connection and you can access your stuff from any computer.

Alas, we don’t have a version optimized for mobile screens quite yet. So it wouldn’t solve your PDA compatibility problem.

Lost of people choke on the idea of storing passwords online. But actually, your data is encrypted on-the-fly before leaving your browser – so once your passwords reach our server, they are fully encrypted and can’t be read by anyone (not PassPack, not hackers, not spying governments).

If you do give it a go, let me know what you think – I’m always open to feedback.

Cheers,
Tara

http://www.leehopkins.net/ Lee Hopkins

Thanks for that offer, Tara.

I’d take you up on it but for one small problem: several of my clients don’t allow net access from their computers, but I still need to remember a stack of passwords to access various parts of their internal worlds, hence the beauty of a pda password store.

I guess I’ll just have to keep searching and praying… {smile}

http://www.leehopkins.net Lee Hopkins

Thanks for that offer, Tara.

I’d take you up on it but for one small problem: several of my clients don’t allow net access from their computers, but I still need to remember a stack of passwords to access various parts of their internal worlds, hence the beauty of a pda password store.

I guess I’ll just have to keep searching and praying… {smile}

https://www.passpack.com/ Tara Kelly (PassPack)

Wow. No net access. I think I’d pull my hair out!

Good luck to you.

Password managers have just begun a new evolution cycle. I’m sure the product you’re looking for is right around the corner.

Cheers,
Tara

https://www.passpack.com Tara Kelly (PassPack)

Wow. No net access. I think I’d pull my hair out!

Good luck to you.

Password managers have just begun a new evolution cycle. I’m sure the product you’re looking for is right around the corner.

Business proposals

Business Proposal Software - Accurately quote your business proposals, multiply your profitability, brand yourself as a top professional and close the sale. Proposal Kit helps you demonstrate that you are the right professional for your customers. Proposal Kit has been proven for over a decade as the mission-critical, easy, customizable and accurate solution for how to write a proposal.

SEO made easy

Market Samurai is the tool I use to manage all of my sites and those of my clients. It is the world's best tool for managing the day-to-day and strategic issues around website marketing. Market Samurai enables you to find and target profitable niches with pinpoint accuracy.
I can't recommend it highly enough. Find out more...

Have I been helpful?

Then perhaps you'd consider sending a few shekels my way in the form of a tip...
Your kindness is very much appreciated!
:-)

Recommended reading

These links open in new browser window

Tactical Transparency by Shel Holtz and John Havens.A belter of a book and a 'must read' addition to any communicator's bedside reading table if they are serious about introducing social media into their communication plans. It includes a fabulous chapter on transparency and business (hint: you want to photocopy it and give it to your CEO!)

Qualitative Communication Research Methods by Thomas Lindlof and Bryan Taylor.Not just a book for academics, it's chock-full of great ideas on how to effectively and efficiently research your employees, customers, the marketplace and other stakeholders

The Twitter Book by Tim O'Reilly and Sarah Milstein.
A fabulous book that gives a clear, clean overview of what Twitter is and WHY you should be engaging with it. THEN it goes into depth with so many tips and ideas that they should have sold the book for twice the price!

Practical SEO Copywriting: a ‘must get’ book. My mate Glenn Murray has written a bottler of a new book on search engines and copywriting.

In a cunning twist of bizarre nomenclature, he’s titled it Practical SEO Copywriting. The cheeky little fox! It’s a DIY guide to writing online copy for both human readers AND for that 400kg gorilla we lovingly call ‘Google’.

The danger, Glenn quite rightly …err …writes is that focusing too much attention on all of the supposed SEO ‘tricks of the trade’ will make your copy all but unreadable by the human brain. You know, all that stuff bandied about by the so-called SEO (search engine optimisation) experts: keyword frequency, exact string versus individual words scattered across the page, page length, alt tags, header tags, and so on.

Not that this stuff isn’t important – it all is, and more besides – but Glenn argues persuasively that by far more important is the ability to write copy that people will actually want to read – and link to!

Vodburner is my tool of choice for recording skype video calls, either for later podcasting or simply for my own record. Now that video is becoming more and more important, I can't imagine online life without it.More about Vodburner...